This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using Sum (*) with tcp.seq

0

hello,

If i am using sum(*) function on tcp.seq to graph out tcp sequence number, my y axis values are not equal to corresponding packet sequence number (adding Ack sequence number into it). Any suggestions why or am i missing something?

asked 10 Sep '13, 21:00

iWireshark's gravatar image

iWireshark
16557
accept rate: 0%

One Answer:

1

When using the advanced options in IO graphs, wireshark will use the function you specify on the field you specify for all packets that fall within the tick interval.

In case of sum() on the tcp.seq, it will add up all the tcp sequence numbers. This means if there are multiple packets in the tick interval, you will see a sum of all the sequence numbers in the graph. Depending on what you want to visualize, I think you want to use min(), avg() or max() on tcp.seq instead of sum() as chances are big that there are multiple packets in one tick interval.

Also please note that a tcp session has two flows (client to server and server to client) for which the sequence numbers are unrelated. You can best use the filter to select only one of the two streams (filter on tcp.srcport==xxx).

answered 10 Sep '13, 22:21

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for the explanation. Two quick questions

  1. Lets say my tick interval is set to 0.1 sec. Now will the value (tcp.seq with Sum(*) applied) at 2.0 be sum of sequence number of packets between 1.9 ~ 2.0 or 2.0 ~3.0 or someother interval?

  2. How this handles re-transmissions or tcp previous segment not captured? If i have some "tcp previous segment not captured" packets in my tick interval, will they be added if i am using tcp.seq with Sum(*)?Does the same apply for re-transmission packets?

Thanks in advance

(13 Sep '13, 07:23) iWireshark

  1. All points in the graph are drawn in the middle of the interval. So when the interval is 0.1 sec, the first point will be at 0.05, then 0.15, then 0.25. The calculations will be done on the intervals 0.0 to 0.1 sec, 0.1 to 0.2 sec, 0.2 to 0.3 sec, etc.

  2. The IO graphs don't look at packet interpretations, it just does it's calculations on the fields. So if there are two packets with the same tcp.seq, it will add up both (when using sum(*)).

(13 Sep '13, 08:35) SYN-bit ♦♦